I noticed one of my servers is sending more logs than the other. `sshd` was the application sending the most amount of logs in the last 24 hours.
The logs look like these:
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=126.96.36.199 user=root
Failed password for root from 188.8.131.52 port 14281 ssh2
message repeated 2 times: [ Failed password for root from 184.108.40.206 port 14281 ssh2]
Received disconnect from 220.127.116.11 port 14281:11: [preauth]
Disconnected from 18.104.22.168 port 14281 [preauth]
PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=22.214.171.124 user=root
Since the IPs are being logged, I can know from where these are coming. Let’s generate a map.
Well well well, 5437 occurrences from China. Gotta do something. Here’s frequency of the attacks this week.
It seems to have amplified today. Looking at the logs, we can see that the were trying different passwords for the user `root`. Lemme just disable password authentication for SSH.
$ vim /etc/ssh/sshd_config
Change the line
$ service ssh restart
And we can see the logs are no more appearing 😉
Do you wish to analyse your server logs too? Feel free to message me on Facebook or Twitter or LinkedIn